CN113783850A

Movatterモバイル変換

Info

Publication number: CN113783850A
Application number: CN202110991441.2A
Authority: CN
Inventors: 刘慧蕾
Original assignee: New H3C Security Technologies Co Ltd
Current assignee: New H3C Security Technologies Co Ltd
Priority date: 2021-08-26
Filing date: 2021-08-26
Publication date: 2021-12-10

Abstract

The present disclosure provides a network protection method, apparatus, device and machine-readable storage medium, the method comprising: configuring a weight value for each protection rule; the method comprises the steps of obtaining a current performance consumption state, and closing a protection rule with the lowest weight value according to the weight value when the performance consumption is larger than a preset first threshold value; acquiring a current performance consumption state, and when the performance consumption is smaller than a preset second threshold value, starting a protection rule with the highest weight value in closed protection rules according to the weight value; and carrying out network security detection on the flow according to the opened protection rule. According to the technical scheme, the protection rules are dynamically opened or closed according to the performance consumption state related to the current flow, the protection rules with lower priority are closed in the case of large flow, and the protection rules with higher priority are opened in the case of small flow, so that the performance resources are fully and reasonably utilized, and the attack types with higher risk are protected as far as possible.

Description

Network protection method, device, equipment and machine readable storage medium

Technical Field

The present disclosure relates to the field of communications technologies, and in particular, to a network protection method, apparatus, device, and machine-readable storage medium.

Background

A Web Application Firewall (WAF for short) is used for defending common OWASP attacks such as SQL injection, XSS cross-site scripts, common Web server plug-in bugs, Trojan uploading and unauthorized core resource access and filtering massive malicious CC attacks on the basis of cloud security big data capability, so that leakage of asset data of a website is avoided, and the security and the usability of the website are guaranteed.

Most web application firewalls today are integral to various attack protections: the method has the advantages that the service state of the Web system is intelligently identified, the defense rule base is optimized in real time on line, the virtual patch program is distributed, and continuous security defense support is provided. At present, with the increase of attack protection rule detection, the inherent feature protection of the device, such as basic feature protection of SQL injection, XSS, command injection, web scanning, malicious attack, web trojan and the like, is performed, and meanwhile, other protection rules of anti-virus, intrusion prevention, crawler, HTTP protocol inspection, code leakage, sensitive information leakage and the like are also integrated, so that the state that all protection rules are simultaneously effective cannot be simultaneously realized under the limitation of device resources, and if all protection rules are simultaneously started, the performance may be seriously reduced when the flow is large.

Disclosure of Invention

In view of the above, the present disclosure provides a network protection method, device, electronic device, and machine-readable storage medium to solve the problem of insufficient performance of all protection rules during large flow.

The specific technical scheme is as follows:

the present disclosure provides a network protection method, applied to a network security device, the method including: configuring a weight value for each protection rule; the method comprises the steps of obtaining a current performance consumption state, and closing a protection rule with the lowest weight value according to the weight value when the performance consumption is larger than a preset first threshold value; acquiring a current performance consumption state, and when the performance consumption is smaller than a preset second threshold value, starting a protection rule with the highest weight value in closed protection rules according to the weight value; and carrying out network security detection on the flow according to the opened protection rule.

As a technical solution, the first threshold is larger than the second threshold.

As a technical solution, the configuring a weight value for each protection rule includes: configuring a first priority value for each protection rule large class according to the protection rule large class; the protection rule large class comprises at least one protection rule subclass, and a second priority value is configured for each protection rule subclass; and configuring a weight value associated with the protection rule subclass according to the first priority value and the second priority value.

The present disclosure also provides a network protection device, which is applied to network security equipment, the device includes: the configuration module is used for configuring a weight value for each protection rule; the weight module is used for acquiring the current performance consumption state, and closing the protection rule with the lowest weight value according to the weight value when the performance consumption is greater than a preset first threshold value; the weight module is further used for acquiring the current performance consumption state, and when the performance consumption is smaller than a preset second threshold value, according to the weight value, starting the protection rule with the highest weight value in the closed protection rules; and the detection module is used for carrying out network security detection on the flow according to the started protection rule.

The present disclosure also provides an electronic device including a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor executing the machine-executable instructions to implement the aforementioned network defense method.

The present disclosure also provides a machine-readable storage medium having stored thereon machine-executable instructions that, when invoked and executed by a processor, cause the processor to implement the aforementioned network defense method.

The technical scheme provided by the disclosure at least brings the following beneficial effects: .

According to the performance consumption state related to the current flow, the protection rules are dynamically opened or closed, the protection rules with lower priority are closed in large flow, and the protection rules with higher priority are opened in small flow, so that the performance resources are fully and reasonably utilized, and the attack types with higher risk are protected as far as possible.

Drawings

In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments of the present disclosure or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the present disclosure, and other drawings can be obtained by those skilled in the art according to the drawings of the embodiments of the present disclosure.

FIG. 1 is a flow chart of a network defense method in one embodiment of the present disclosure;

FIG. 2 is a block diagram of a network defense device in one embodiment of the present disclosure;

fig. 3 is a hardware configuration diagram of an electronic device in an embodiment of the present disclosure.

Detailed Description

The terminology used in the embodiments of the present disclosure is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. As used in this disclosure and the claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein is meant to encompass any and all possible combinations of one or more of the associated listed items.

It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information in the embodiments of the present disclosure, such information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present disclosure. Depending on the context, moreover, the word "if" as used may be interpreted as "at … …" or "when … …" or "in response to a determination".

The disclosure provides a network protection method, a network protection device, an electronic device and a machine-readable storage medium, so as to solve the problem that the performance of all protection rules is insufficient when the protection rules are started at a large flow.

The specific technical scheme is as follows.

In one embodiment, the present disclosure provides a network protection method applied to a network security device, the method including: configuring a weight value for each protection rule; the method comprises the steps of obtaining a current performance consumption state, and closing a protection rule with the lowest weight value according to the weight value when the performance consumption is larger than a preset first threshold value; acquiring a current performance consumption state, and when the performance consumption is smaller than a preset second threshold value, starting a protection rule with the highest weight value in closed protection rules according to the weight value; and carrying out network security detection on the flow according to the opened protection rule.

Specifically, as shown in fig. 1, the method comprises the following steps:

in step S11, weight values are configured for each protection rule.

Step S12, acquiring the current performance consumption state, and closing the protection rule with the lowest weight value according to the weight value when the performance consumption is larger than a preset first threshold value; and acquiring the current performance consumption state, and when the performance consumption is smaller than a preset second threshold value, starting the protection rule with the highest weight value in the closed protection rules according to the weight value.

And step S13, performing network security detection on the traffic according to the opened protection rule.

In one embodiment, the first threshold is greater than the second threshold, so that the device resource occupancy is always within a range formed by the first threshold and the second threshold, thereby fully utilizing the performance resource and reserving the resource for emergency.

In one embodiment, the configuring a weight value for each protection rule includes: configuring a first priority value for each protection rule large class according to the protection rule large class; the protection rule large class comprises at least one protection rule subclass, and a second priority value is configured for each protection rule subclass; and configuring a weight value associated with the protection rule subclass according to the first priority value and the second priority value.

The WAF performs first priority value configuration assignment on each protection rule associated with the attack characteristics based on the large class based on the attack characteristics, and then performs second priority value configuration assignment on each protection rule subclass based on the protection rule subclass, where a weight value representing the total weight may be the first priority value multiplied by the second priority value, or may adopt other applicable algorithms.

When there is traffic flow, the performance detection monitoring device monitors the CPU and the memory of the device, when the CPU detection value and/or the memory occupation value is larger than a first threshold value of the CPU and/or the memory performance threshold value, the protection rule closing state is entered, the protection rules with the lowest weight value are closed one by one, based on the increase of the closing quantity of the protection rules, or the flow is reduced, the CPU and/or the memory performance consumption is gradually reduced, when the CPU and/or the memory performance consumption is reduced below a second threshold value, the protection rule opening state is entered, the protection rules with the highest weight value are opened one by one from the closed protection rules, the CPU and the memory occupation slowly rises, wherein the first threshold value is larger than a second threshold value, for example, the first threshold value is set to 85%, the second threshold value is set to 65%, the device resource occupation is always in a range, and the protection rules with higher weight values are preferentially started, the key attack protection is realized, the attack protection rate is improved, and the web server is better ensured.

The weight value, the first priority value and the second priority value of the protection rule can be automatically generated, and can also be modified according to the actual requirement of the network environment.

When the traffic is large, the device cannot process the resources, for example, the CPU occupies 90% and the memory occupies 70%, and the CPU and the memory can both enter a protection rule closed state as long as any one of the CPU and the memory reaches the first threshold.

And when the consumption of the CPU and the memory is less than a second threshold value, entering a protection rule starting state.

In one embodiment, the present disclosure also provides a network security device, as shown in fig. 2, applied to a network security device, the device including: a configuration module 21, configured to configure a weight value for each protection rule; the weight module 22 is configured to obtain a current performance consumption state, and close the protection rule with the lowest weight value according to the weight value when the performance consumption is greater than a preset first threshold value; the weight module is further used for acquiring the current performance consumption state, and when the performance consumption is smaller than a preset second threshold value, according to the weight value, starting the protection rule with the highest weight value in the closed protection rules; and the detection module 23 is configured to perform network security detection on the traffic according to the started protection rule.

In one embodiment, the first threshold is greater than the second threshold.

The device embodiments are the same or similar to the corresponding method embodiments and are not described herein again.

In one embodiment, the present disclosure provides an electronic device, which includes a processor and a machine-readable storage medium, where the machine-readable storage medium stores machine-executable instructions executable by the processor, and the processor executes the machine-executable instructions to implement the foregoing network defense method, and from a hardware level, a schematic diagram of a hardware architecture may be shown in fig. 3.

In one embodiment, the present disclosure provides a machine-readable storage medium having stored thereon machine-executable instructions that, when invoked and executed by a processor, cause the processor to implement the aforementioned network defense method.

Here, a machine-readable storage medium may be any electronic, magnetic, optical, or other physical storage device that can contain or store information such as executable instructions, data, and so forth. For example, the machine-readable storage medium may be: a RAM (random Access Memory), a volatile Memory, a non-volatile Memory, a flash Memory, a storage drive (e.g., a hard drive), a solid state drive, any type of storage disk (e.g., an optical disk, a dvd, etc.), or similar storage medium, or a combination thereof.

The systems, devices, modules or units described in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. A typical implementation device is a computer, which may take the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.

For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the various elements may be implemented in the same one or more software and/or hardware implementations in practicing the disclosure.

As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present disclosure may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer-usable program code embodied therein.

The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the disclosure. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

Furthermore, these computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable storage media (which may include, but is not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The above description is only an embodiment of the present disclosure, and is not intended to limit the present disclosure. Various modifications and variations of this disclosure will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present disclosure should be included in the scope of the claims of the present disclosure.

Claims

1. A network protection method is applied to network security equipment, and the method comprises the following steps:

configuring a weight value for each protection rule;

the method comprises the steps of obtaining a current performance consumption state, and closing a protection rule with the lowest weight value according to the weight value when the performance consumption is larger than a preset first threshold value;

acquiring a current performance consumption state, and when the performance consumption is smaller than a preset second threshold value, starting a protection rule with the highest weight value in closed protection rules according to the weight value;

and carrying out network security detection on the flow according to the opened protection rule.

2. The method of claim 1, wherein the first threshold is greater than the second threshold.

3. The method of claim 1, wherein configuring the weight value for each protection rule comprises:

configuring a first priority value for each protection rule large class according to the protection rule large class;

the protection rule large class comprises at least one protection rule subclass, and a second priority value is configured for each protection rule subclass;

and configuring a weight value associated with the protection rule subclass according to the first priority value and the second priority value.

4. The method of claim 3,

the obtaining of the current performance consumption state, when the performance consumption is greater than a preset first threshold, according to the weight value, closing the protection rule with the lowest weight value, includes:

the method comprises the steps of obtaining a current performance consumption state, and closing a protection rule subclass with the lowest weight value according to the weight value when the performance consumption is larger than a preset first threshold value;

the obtaining of the current performance consumption state, when the performance consumption is smaller than a preset second threshold, according to the weight value, opening a protection rule with a highest weight value among the closed protection rules, includes:

and acquiring the current performance consumption state, and when the performance consumption is smaller than a preset second threshold value, opening a protection rule subclass with the highest weight value in the closed protection rules according to the weight value.

5. A network security device, applied to a network security device, the device comprising:

the configuration module is used for configuring a weight value for each protection rule;

the weight module is used for acquiring the current performance consumption state, and closing the protection rule with the lowest weight value according to the weight value when the performance consumption is greater than a preset first threshold value;

the weight module is further used for acquiring the current performance consumption state, and when the performance consumption is smaller than a preset second threshold value, according to the weight value, starting the protection rule with the highest weight value in the closed protection rules;

and the detection module is used for carrying out network security detection on the flow according to the started protection rule.

6. The apparatus of claim 5, wherein the first threshold is greater than the second threshold.

7. The apparatus of claim 5, wherein the configuring the weight value for each protection rule comprises:

8. The apparatus of claim 7,

9. An electronic device, comprising: a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor to perform the method of any one of claims 1 to 4.

10. A machine-readable storage medium having stored thereon machine-executable instructions which, when invoked and executed by a processor, cause the processor to implement the method of any of claims 1-4.